Tuesday, August 16, 2011

Firmware Passwords on New Macs

According to the KB article TS3554, new Macs have a different way of resetting the firmware password, should you forget it. More on that later.

What I want to discuss is the new tool for setting your firmware password.

No Longer is the nvram used when configuring the password. The nvram settings are outright ignored. The Firmware Password Utility shipped by Apple has been updated to accommodate this change.

I am unsure of WHERE or HOW the passwords is configured, but I do know that Apple has a new binary tool to configure it via the command line. "setregproptool" can now be used to configure your firmware password.

Finding information of this update from the MacEnterprise email list points me to the install DVD that shipped with our newest iMacs.

To locate this tool, Tomas has given you a path to it on the USB flash drive that came with Macbook Airs. Well, the DVD path is almost the same, except for a few slight changes to the media name.

Here are some directions to get the binary tool:
1) Insert your Install DVD to your Mac.
2) Open the Terminal.app from /Applications/Utilities/
3) Paste in this line:
cp /Volumes/Mac\ OS\ X\ Install\ DVD/Applications/Utilities/Firmware\ \
Password\ Utility.app/Contents/Resources/setregproptool ~/Desktop/

The setregproptool should appear on your desktop, assuming the name of the DVD is the same as I have in my command. YMMV.

Now that you have the binary tool, you can distribute it by whatever means you find the best. Scripts can be written to call it. You can now have fun.

The setregproptool has a nice little man page to help you configure your firmware password. In our case, we simply want a firmware password when choosing the "option boot" or command mode.

$ setregproptool -m "command" -p secretpassword

If a password is currently set, it will prompt you for it.

As Thomas Larkin talks about in his MacE post, the check flag (-c) was not correctly reporting that the password was set. While this may be an issue for some people it was of little concern for me, at least, for now!

Now that you can set your firmware password again, lets talk about what happens when you FORGET it!

A) Don't forget it.
B) If you do, you have to boot your Mac into the firmware password screen.

This screen provides a hash that can be sent to Apple. I assume Apple has a way to reverse this hash and respond to you with the firmware password.

All things considered, you should never see this screen. Hopefully you have a way to manage your passwords that is secured and is available to at least two people.

When that inevitable time comes that someone forgets it, your going to have to jump through some hoops.

If your an Authorized Service Center, or a Authorized Self Service Center for Apple, you can talk to the friendly TPSS support staff to have your hash reversed.

If your not, your going to need to find someone that is. That means a trip to your closest Apple Store or other Authorized Service Center.

Please avoid the hassle and don't forget your firmware password.

Good luck!


MacEnterprise Post:

Apple KB on resetting the FW password:

Products Affected as of 08/2011
MacBook Air (Late 2010), MacBook Pro (17-inch, Early 2011), MacBook Pro (15-inch, Early 2011), MacBook Pro (13-inch, Early 2011), MacBook Air (Mid 2011), iMac (27-inch, Mid 2011), iMac (21.5-inch, Mid 2011), Mac mini (Mid 2011)


Anonymous said...

For the GUI inclined the Lion version of Firmware Password Utility.app works fine on the new Mac's that require it. This app also works fine on newer Mac's that can stil run 10.6.8 i.e. the early 2011 MacBook Pro's


Unknown said...

My firmware password works just fine on the firmware password screen but it has a character that the Firmware Password Utility.app considers invalid, and because of this it doesn't let me change it. How can I solve this?

Rusty Myers said...

If you can use the setregproptool, you may be able to pass the special character to remove the firmware password from the Mac.

For example, if your special character is ?, try putting a \ in front of it: